Saudi Arabia Insurance Authority’s Release the Much-Anticipated Draft Insurance Law

Briefing

08 July 2025

15 MIN READ

1 AUTHOR

In line with the increasing economic importance of the KSA insurance and reinsurance industry, and in keeping with the Insurance Authority’s (‘IA’) aims to regulate, supervise, and control the sector, the IA has published the much-anticipated draft Insurance Law (‘the Law’), which is open public consultation until 22 July 2025.

Objectives

The stated objectives of the Law echo the IA’s goals to: achieve stability and growth, encourage investment and strengthen stakeholder confidence; establish contractual principles and protect the rights of policyholders and beneficiaries; support innovation and digital transformation; promote and regulate fair competition; develop training and localisation; and effectively supervise the sector.

The Law will replace the Law on Supervision of Cooperative Insurance Companies (2003), and all insurance-related powers and responsibilities set out in the Cooperative Health Insurance Law (1999). It also consolidates and updates a number of other laws and regulations, and repeals all conflicting provisions therein, such as the Cooperative Insurance Companies Control Law (2021); Insurance Corporate Governance Regulations (2015); Outsourcing Regulation (2012); Insurance Intermediaries Regulation (2011); and Regulation of Reinsurance Activities (2010).

Application

The Law will apply to all insurance and reinsurance activities (‘re/insurance’) and insurance services, and to any person who engages in re/insurance activities or provides insurance services within KSA.

It separates out re/insurance activities as classified into a. general insurance and b. protection and savings insurance, with categories of each to be specified in implementing instruments, and it prohibits the combining of the two.

Licensing

There are prescribed licensing procedures for any person intending to engage in re/insurance business in the Kingdom, and each re/insurance company licensed under the Law must maintain a head office within KSA. The IA is empowered to license, suspend or revoke the licenses of direct insurers, reinsurers, captive insurers and captive reinsurers.

Foreign re/insurers that do not conduct re/insurance activities in KSA but engage in coordination activities, such as market-related research, communications and other non-operational activities, must establish a representative office in KSA, after registering it with the IA. The representative office is not permitted to carry out any other activities, including re/insurance activities or providing re/insurance services, without obtaining IA approval.

Further regulations will be issued setting out the criteria for foreign re/insurers wishing to establish a branch in KSA to conduct re/insurance business, inclusive of procedural requirements for applying for a license and operating the branch.

A licensed foreign re/insurer will be required to appoint a General Manager (‘GM’) who must have IA approval and reside in KSA. Should the GM be removed, the branch must cease from re/insurance activities or providing services in KSA until a replacement is appointed. This will not affect the validity of existing rights or claims, or the collection of premiums for policies issued, prior to the GM’s removal.

Governance

In terms of governance, re/insurers must establish a framework inclusive of written policies in compliance with the legislative regime, implement the same and perform at least an annual review. Structurally, re/insurers must establish an effective risk management system with a risk management department, and in internal control system with an internal audit and an internal actuarial department. IA approval is required before appointing persons to key functions.

There are provisions governing re/insurers controlling entities, own funds and risk-based capital requirements, valuation of assets and liabilities, and for technical provisions. There are also provisions regarding financial reporting, liquidation and the transfer of business. The IA may require re/insurers to invest their assets in the local market to ensure the availability of such assets.

Service providers

The Law also provides for the licensing, suspension and revocation of insurance services providers, defined as any person licensed to provide agency, broking, advisory, claims handling, policy administration, actuarial, loss assessment, loss adjustment, or insurance consultancy services; together with any other activities determined by the IA.

Insurance services providers must maintain capital at least equal to prescribed capital requirements, and segregate bank accounts to manage client funds.

Agents and brokers cannot appoint persons to leadership positions without IA approval. They cannot enter into, or claim authority to enter into, re/insurance contracts without explicit authorisation by written agreement. They must disclose all material information to potential insureds prior to any applications for cover.

The IA will establish and maintain registers of insurance services providers and persons removed/prohibited from their roles.

Technology and data protection

There is recognition of the importance of data protection in the re/insurance sector. In accordance with wider data privacy legislative provisions, any data submitted to the IA must be complete, accurate, and up to date. It must also be in prescribed formats, mechanisms and timeframes.

The IA, in coordination with the relevant authorities, will establish a central database for historic claims and fraud detection. The database will also aim to collect anonymised claims data to enhance risk assessment and pricing accuracy; and to facilitate a secure data exchange between re/insurers, service providers, the IA and other relevant entities.

The IA will collaborate with re/insurers, service providers and other stakeholders to ensure comprehensive and systematic data collection. It will also establish a central data system in this regard to enhance risk management and regulatory oversight; monitor market trends and emerging risks; increase transparency; and support data-driven decision-making.

Prior IA written approval is required before selling policies via third-party platforms, e.g. such as those operated by airlines and banks.

Again in coordination with the relevant authorities, the IA will oversee the enforcement of national cybersecurity requirements, and it will issue sector-specific controls.

Prudent re/insurers and service providers will no doubt implement systems to ensure alignment of the Law’s requirements with KSA data privacy and cyber security legislation.

Outsourcing

In developing the previous legislative definition of material outsourcing, the Law provides that re/insurers must not outsource ‘core functions’ (defined as outsourced activities by a re/insurer where a failure or deficiency in the service could impact the company’s ability to meet regulatory requirements, or materially weaken its financial soundness, operational capacity, or ability to meet its obligations to policyholders). However, the Law then also provides that re/insurers may submit a prior written notice to the IA before entering into arrangements to outsource core functions. We anticipate that the final version of the Law will provide clarity.

We also anticipate that the final version of the Law will provide clarity on the issue of the transfer of personal data (e.g. policyholder data) outside of KSA, which is currently permitted (subject to certain criteria) pursuant to the Outsourcing Regulation of 2012 yet prohibited by the 2008 Insurance Market Code of Conduct. It is of course also permitted (again subject to certain criteria) by the Personal Data Protection Law in force from 2023.

The Law further provides that re/insurers continuously monitor the performance and compliance of the third party to whom core functions are outsourced; and that they will remain responsible in accordance with the Law when outsourcing to a third party.

Subrogation

In cementing and building on the previous legislative reference to subrogation (at Article 20, Cooperative Insurance Companies Control Law (2021), which acknowledged the Insurance Disputes Committee’s (‘IDC’) responsibility to settle subrogated claims), the Law now expressly provides that if a claim arises due to a third party act or omission, then the re/insurer shall be subrogated to the policyholder’s rights, and have the right to exercise all rights under the policy. That is, of course, unless the policy stipulates otherwise.

Dispute resolution

The Law also builds on the Working Rules and Procedures of the Insurance Disputes and Violations Settlement Committees of 2014.

Procedurally, a complaint must first be submitted to the IA and thirty days must pass before a lawsuit is commenced before the IDC, unless the IA notifies the complainant that it may file a claim earlier. The Law also provides that this requirement may come to carry exceptions as deemed necessary in due course for sector stability and policyholder protection.

The committees will be composed of one or more panels, each consisting of three full-time principal members and one alternate member with legal qualifications and expertise. The chair and members of each panel will be appointed by Royal Order for a renewable period of three years.

The Law bestows power on the IDC to investigate and rule on cases, summon witnesses, issue decisions, impose penalties, order the submission of evidence and documents, and appoint experts. The power includes jurisdiction to consider appeals against IA actions and decisions. The IDC can award compensation, restore a situation to its original state, or take any other appropriate action to ensure an aggrieved party’s rights.

Appeals against first instance decisions must be submitted to the appellate committee within thirty days of notification of the decision, and the appellate committee decisions will remain final. Very interestingly, the Law expresses that the appellate committee may develop the procedural rules for both committees, inclusive of rules for hitherto unrecognised class action lawsuits in insurance disputes.

Waste, misuse and fraud

Re/insurers and service providers must establish internal policies and procedures, and mechanisms, and controls, to effectively detect, deter and manage incidents of waste, misuse and fraud committed by policyholders, employees or other involved parties.

Insurance fraud is considered a crime punishable under the Law. The IDC may, in addition to the penalties described below, impose a prison sentence of up to two years.

Complaints

Re/insurers remain required to establish mechanisms to receive complaints and claims and to resolve the same within prescribed timeframes (currently fifteen days for individuals and forty-five days for businesses upon receipt of all required information/documentation). They are also required to submit reports of all such complaints and claims to the IA. There are penalties for unjustified delay or unlawful rejection of claims (see below). The penalties will be more severe regarding mandatory insurance.

Enforcement

The IA has the power to conduct supervisory and inspection activities, and to engage external auditors to perform the same or provide support to the IA. It can request any data, documents or records deemed necessary to fulfil the Law’s above objectives.

The IA can also assign persons to detect crimes and violations, the same being granted the status of criminal enforcement officers, who can: perform regulatory visits and enter premises; examine and seize records, data and documents; review surveillance footage; request disclosure and provision of information; summon any suspect or individual with potentially useful information and record their statements; and seek assistance from relevant authorities when necessary.

Penalties

If the IA determines that any person has committed, participated in, or attempted anything that violates any provision of the Law, rules or regulations, or behaved in a way that seriously impairs the ability to meet statutory obligations, then the IA may: issue a warning; order cessation of the specific conduct; require an IA-approved corrective plan; appoint an observer to the company’s board of directors or equivalent body (without voting rights) to monitor the implementation of corrective measures; appoint advisors to assist the culpable party at the latter’s expense; prohibit the distribution of profits to meet solvency margin requirements; prohibit the violator from practicing re/insurance or providing insurance services; ban the violator from working with entities under the IA’s supervision; impose a fine not exceeding SAR 5 million for each violation; and take any other action prescribed by regulation.

The IA may also request the IDC to impose any of the following on individuals that intentionally violate the Law and its implementing regulations and rules: imprisonment up to four years; a fine up to SAR 5 million; seizure and enforcement against property; compensation for harmed individuals up to triple the gains realised or losses avoided due to the violation; and a travel ban.

For practising re/insurance activities or providing insurance services without a license, the IDC may, in addition to the above: order imprisonment for up to nine months; and confiscate financial proceeds from the unauthorised activity. In such circumstances, policies entered into by policyholders will remain valid as if the contract had been entered into with a licensed re/insurer, and it is at the policyholders’ discretion as to whether enforce it.

The IDC can also impose a prison sentence not exceeding nine months on anyone who: falsely claims to be licensed; unlawfully uses the term “insurance,” “reinsurance,” or any of their derivatives in their name, trademark, or promotional materials; or violates the IA’s instructions regarding share transfers or restrictions.

The same penalties apply to agents or brokers who fail to disclose all material information to policyholders prior to offering a policy. They also apply to insurance service providers who provide services to re/insurers on unlicensed lines of business and fail to maintain separate accounts for managing client funds.

The penalties also apply to any person who: refuses to provide required documents, information or data to the IA’s inspection and enforcement officers or obstructs their duties; abuses their authority or wastes re/insurers or insurance service providers’ funds; and engages in activities that constitute a systemic risk.

Further developments

The Law is a welcomed piece of legislation in furthering the IA’s objectives and developing the re/insurance sector in KSA.

As re/insurance in the Kingdom sophisticates, additional regulations, rules and guidelines are anticipated regarding, for instance: compulsory insurance products; captives and reinsurers; solvency requirements; data protection; insuretech and digital insurance; regulatory sandboxes for testing innovative solutions; outsourcing; claims handling; and establishing Shariah governance rules and standards.

It remains to be seen whether further insurance sector legislation will also develop principles such as, for example, uberrimae fidei (the doctrine of utmost good faith) and the policyholders’ duty to make to insurers a fair presentation of the risk, or an insurers’ remedies for policyholder breaches.

That said, the Law will sit alongside other important legislative developments in the Kingdom, not least the Civil Transactions Law of 2023. Accordingly, Article 41(2) provides that failure to inform any substantial term of the contract to the other party constitutes bad faith; and pursuant to Article 61(2) deliberate silence on a fact or circumstance constitutes a deceit if established that the victim would not have concluded the contract had he known of this fact or circumstance.

Taken holistically, whilst recognising the central and fundamental role of insurance within society, the KSA legislative framework is, like the country itself, rapidly advancing.